Let's Encrypt configuration on Apache - apache

When I run
./letsencrypt-auto
I can choose my domains, but in the next step it fails on
IMPORTANT NOTES:
- The following 'urn:acme:error:connection' errors were reported by
the server:
Domains: xx.co.uk
Error: The server could not connect to the client for DV
Does apache needs to be listening on port 443 already or what else could be a problem?
Apache 2.2, Ubuntu 14 LTS Trusty

I just started using Let's Encrypt. My server runs Apache 2.2 on Ubuntu 12.04. I found it much easier to use Let's Encrypt certonly --webroot mode. Here's an example:
./letsencrypt-auto certonly --webroot \
--renew-by-default --agree-tos \
--email postmaster#analysisandsolutions.com \
-w /var/www/www.analysisandsolutions.com/public_html \
-d www.analysisandsolutions.com -d analysisandsolutions.com
Then I edited the relevant virtual host file in sites-available to contain:
SSLCertificateFile /etc/letsencrypt/live/www.analysisandsolutions.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.analysisandsolutions.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.analysisandsolutions.com/privkey.pem
Finally call service apache2 reload
I also use the resulting certificate for Postfix SMTP and Dovecot IMAP connections.
I made a shell script to simplify the process. More details about all of this can be found on my blog.

Here is an answer.
Yes Apache needs to be listening on 443. Easiest way is to make you domain working with self signed SSL certificate.
Then run
./letsencrypt-auto --apache
And Let's Encrypt does all for you. Amazing!

Related

Why isn't certbot writing the verification file?

I am trying to install a certificate using certbot on Ubuntu Xenial by using the below command:
sudo certbot run -a webroot -i apache -w /var/www/mydomain/public/.well-known/acme-challenge/ -d "example.com"
I get a challenge failed error with the following notes:
Domain: mydomain.com
Type: unauthorized
Detail: Invalid response from
http://example.com/.well-known/acme-challenge/lvJ9RbuDyoPn4NXnxPpjOYpsGHZb6ZYdDoBWW-6JC1k
I created the /.well-known/acme-challenge myself thinking this might help, but it didn't. I tried putting a file into the acme-challenge directory and browsed to it through Chrome and this worked without an issue. Therefore, I know the Apache host is setup correctly.
I'm now at a loss of what to try.

Modify certbot manually created certificate

I'm moving my website to a new server (debian9+apache).
I've installed a certbot certificate for my domain via command:
sudo certbot certonly -d www.theartstory.org --manual --preferred-challenges dns
I've used this command insead of:
sudo certbot --apache
because at that date DNS records were configured to old ip adress.
Now I need to add not-www version to this certificate. I've found a command to do this:
sudo certbot certonly --cert-name www.theartstory.org -d www.theartstory.org,theartstory.org
but it fails with error:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
How can I fix this issue?
use CMD 下面 👇🏻:
sudo certbot certonly -d "*.yourdomain.xx" -d yourdomain.xx --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
This is how I solved the problem 👆🏻
reason:Wildcard Certificates want to use DNS to renew

Problem in getting SSL Certificate for my domain at digitalocean droplet through Let's Encrypt

I was trying to get SSL certificate for my domain on PhpMyAdmin Droplet by following the steps mentioned at "https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04". My server is Ok. I have DNS A entry for my domain.com and CNAME entry for my www.domain.com
As I went to execute "sudo certbot --apache -d your_domain -d www.your_domain"
It asked me to enter email address and after that it gave me the following error.
"An unexpected error occurred:
The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
"
I tried with root and non root admin user with sudo but still the same. Any help is appreciated
Best
I got it resolved. So first run
sudo apt update
sudo apt install --only-upgrade certbot
and then
sudo certbot --apache -d your_domain -d www.your_domain
worked for me

Unable to install LetsEncrypt SSL on CentOS 7

I am trying to install SSL Certificate to my website using Securing Apache with Let's Encrypt on CentOS 7.
My web server is (include version): Apache (cPanel)
My hosting provider, if applicable, is: GoDaddy
followed this link for that, STEP-1 and STEP-2 were successfull
with the understanding that no firewall has been setup in my VPS
sudo yum install epel-release
sudo yum install httpd mod_ssl python-certbot-apache
sudo systemctl start httpd
systemctl status httpd
curl www.example.com ((Note: works))
sudo certbot --apache -d example.com -d www.example.com
This last command generates an error, as follows:
sudo: certbot: command not found
I tried to install certbot by
sudo yum install certbot
and installed successfully
Installed:
certbot.noarch 0:0.27.1-1.el7
Dependency Installed:
audit-libs-python.x86_64 0:2.8.1-3.el7_5.1 checkpolicy.x86_64 0:2.5-6.el7 libcgroup.x86_64 0:0.41-15.el7
libsemanage-python.x86_64 0:2.5-11.el7 policycoreutils-python.x86_64 0:2.5-22.el7 pyOpenSSL.x86_64 0:0.13.1-3.el7
python-IPy.noarch 0:0.75-6.el7 python-cffi.x86_64 0:1.6.0-5.el7 python-enum34.noarch 0:1.0.4-1.el7
python-idna.noarch 0:2.4-1.el7 python-ndg_httpsclient.noarch 0:0.3.2-1.el7 python-ply.noarch 0:3.4-11.el7
python-pycparser.noarch 0:2.14-1.el7 python-requests.noarch 0:2.6.0-1.el7_1 python-requests-toolbelt.noarch 0:0.8.0-1.el7
python-six.noarch 0:1.9.0-2.el7 python-urllib3.noarch 0:1.10.2-5.el7 python-zope-component.noarch 1:4.1.0-3.el7
python-zope-event.noarch 0:4.0.3-2.el7 python-zope-interface.x86_64 0:4.0.5-4.el7 python2-acme.noarch 0:0.27.1-1.el7
python2-certbot.noarch 0:0.27.1-1.el7 python2-configargparse.noarch 0:0.11.0-1.el7 python2-cryptography.x86_64 0:1.7.2-2.el7
python2-future.noarch 0:0.16.0-6.el7 python2-josepy.noarch 0:1.1.0-1.el7 python2-mock.noarch 0:1.0.1-9.el7
python2-parsedatetime.noarch 0:2.4-5.el7 python2-pyasn1.noarch 0:0.1.9-7.el7 python2-pyrfc3339.noarch 0:1.0-2.el7
python2-requests.noarch 0:2.6.0-0.el7 python2-six.noarch 0:1.9.0-0.el7 pytz.noarch 0:2016.10-2.el7
setools-libs.x86_64 0:3.3.8-2.el7
Complete!
I again tried to request an SSL certificate for my domain.
sudo certbot --apache -d example.com -d www.example.com
this time it's returning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested apache plugin does not appear to be installed
/var/log/letsencrypt/letsencrypt.log
2018-11-02 08:15:55,542:DEBUG:certbot.main:certbot version: 0.27.1
2018-11-02 08:15:55,542:DEBUG:certbot.main:Arguments: ['--apache', '-d', 'example.com', '-d', 'www.example.com']
2018-11-02 08:15:55,543:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,Plugi$
2018-11-02 08:15:55,611:DEBUG:certbot.log:Root logging level set at 20
2018-11-02 08:15:55,611:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-11-02 08:15:55,613:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2018-11-02 08:15:55,613:DEBUG:certbot.plugins.selection:No candidate plugin
2018-11-02 08:15:55,614:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
Note: I replaced example.com with my actual domain
Any Help is highly Appreciated.Thanks in advance!!
You can try to use the --standalone option (doesn't require any additional web server) but you have to shutdown any HTTP server using 443 port.
systemctl stop httpd
/opt/letsencrypt/certbot-auto --standalone -d mydomain.com
Make sure that your DNS record is pointing to the web server where you are running the certbot command.
It will save the certificate on /etc/letsencrypt/archive/mydomain.com/*.pem and update the symlink on /etc/letsencrypt/live/mydomain.com/.
Now, update your Apache configs and restart it.
<VirtualHost>
...
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem
...
</VirtualHost>
I recommend you to review your SSL and security settings to improve the apache configuration for your website.

godaddy shared hosting acme.sh

I am trying setup a free HTTPS on my godaddy shared hosting (its cPanel enabled) following the info on https://github.com/Neilpang/acme.sh from my mac.
However I am stuck...
What I have done so far:
Established an SSH connection to the server
Installed the acme as documented:
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install
3.Closed the connection and reestablished (was required as indicated for getting the paths right or something)
4.Issues the certificate:
acme.sh --issue -d mydomain.com -w www --debug
I found that www is the directory in which my website resides...
After approx 10seconds the command says "Cert success"
Then I am lost...
The acme website says "3. Install the issued cert to Apache/Nginx etc."
with a command like:
--apache--
acme.sh --installcert -d example.com \
--certpath /path/to/certfile/in/apache/cert.pem \
--keypath /path/to/keyfile/in/apache/key.pem \
--fullchainpath /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd "service apache2 restart"
or
-nginx-
acme.sh --installcert -d example.com \
--keypath /path/to/keyfile/in/nginx/key.pem \
--fullchainpath /path/to/fullchain/nginx/cert.pem \
--reloadcmd "service nginx restart"
I guess godaddy is using apache?
What are these /path/to/certfile/in/ directories? What are they for my godaddy installation?
If you are using godaddy shared hosting, you can not restart/reload apache to enable the cert, since you are not root user.
So, you can not use acme.sh --installcert ... command.
Please copy the cert and key, and set the cert/key in you cpanel dashboard.
Thanks.